Zero-Day Vulnerabilities: Exploitation Trends and Lessons Learned

Posted on May 1, 2025
Author: Doug Britton

Zero-day vulnerabilities are one of the most significant threats facing enterprises and critical infrastructure. These unknown software flaws, which attackers can exploit before patches become available, pose substantial risks to essential systems, operations, and sensitive data across industries.

In 2024 alone, security researchers at Google tracked 75 zero-day vulnerabilities exploited in the wild. Particularly alarming is that 44% of these targeted enterprise products, highlighting how attractive zero-day vulnerabilities are to cybercriminals and nation-state threat actors. For example, we’ve seen how Volt Typhoon and Salt Typhoon have specifically targeted operational technology (OT) systems through unpatched vulnerabilities.

Whether we’re considering weapons systems, critical service providers, security vendors, or others, nation-states and other malicious actors have their eyes on zero-day flaws as a means to cause widespread damage and disruption.

What Are Zero-Day Vulnerabilities and Why Are They Exploited?

A zero-day vulnerability is a flaw in software that is unknown to the software’s developers or vendors. Because no patch exists to correct the flaw, attackers can exploit it to gain unauthorized access to systems, disrupt operations, or steal sensitive data. Zero-day attacks are especially dangerous because they target unsuspecting systems, leaving defenders without sufficient time to react until after the vulnerability is discovered and addressed.

Attackers exploit zero-day vulnerabilities for several reasons:

  • Access to critical systems: Whether targeting enterprise networks or OT environments, attackers can exploit zero-day vulnerabilities to bypass security controls and gain unauthorized entry.
  • Widespread impact: Exploiting a zero day in commonly used software or widely deployed systems can lead to mass compromise.
  • Advantage in intelligence gathering: Nation-state threat actors frequently use zero days to extract sensitive intelligence, setting the stage for future attacks.
  • Disruption: Threat actors utilize zero-day exploits as a weapon to disrupt operations, with the potential for significant financial and operational repercussions.

Recent Trends in Zero-Day Exploitation

The growing risk of zero-day vulnerabilities stems from several key factors, like the rise in interconnected devices and the wider use of open-source software. Here are some important trends to keep in mind.

1. Enterprise Software in the Crosshairs

Of the 75 zero days exploited in 2024, 44% targeted enterprise systems. Specific cases include:

  • Ivanti VPN Zero Days: Ivanti’s Connect Secure VPN devices became a notable target for attackers, with seven zero days discovered, including CVE-2025-0282, which allowed remote code execution. Attackers used these vulnerabilities to inject malware into corporate networks.
  • Palo Alto Networks PAN-OS: A command-injection exploit allowed attackers to bypass security controls in enterprise firewalls, exposing sensitive environments to intrusions.

Such examples underscore the need for enterprises, as high-value targets, to proactively address vulnerabilities across their technology stacks.

2. Supply Chain Attacks: The Multiplier Effect

Attackers increasingly target software supply chains, exploiting vulnerabilities at the development stage. For instance:

  • MOVEit Transfer and Jenkins Vulnerabilities: A critical path traversal flaw (CVE-2024-23897) within Jenkins could result in arbitrary code execution. If exploited, attackers gain opportunities to insert malware into countless downstream applications.

Supply chains present an ideal target because a single vulnerability in shared components can impact thousands of users across industries.

3. Embedded Software Under Fire

Embedded systems used in everything from medical devices to automotive software share a unique risk in terms of zero-day vulnerabilities due to their reliance on C/C++ code. Research shows that 70% of vulnerabilities in compiled code are memory safety issues, such as buffer overflows and use-after-free errors. Attackers favor these flaws because they are difficult to detect and can cause major disruptions.

Key embedded-system sectors targeted include:

Case Study: Learn How Vertiv Secures Embedded Software

 

Ways to Defend Against Zero-Day Vulnerabilities

While it’s impossible to eliminate all vulnerabilities, organizations can take proactive steps to reduce their exposure to zero-day exploits. Below are actionable recommendations for enterprises and developers:

1. Adopt a Zero Trust Architecture

Zero trust assumes no implicit trust between systems. By applying strict access controls and continuously verifying users and devices, enterprises can minimize the impact of zero-day breaches.

2. Perform Dynamic and Static Analysis

Dynamic application security testing (DAST) and static application security testing (SAST) tools can identify vulnerabilities before they’re exploited. Automated testing provides invaluable insights into weak spots.

3. Deploy Runtime Protections

Solutions like runtime exploit prevention can defend applications against zero-day exploitation in live environments. For embedded systems, tools like RunSafe Protect are ideal for neutralizing memory safety vulnerabilities, providing real-time defense against exploits.

4. Strengthen Vulnerability Management Programs

A thorough vulnerability management program helps organizations prioritize high-risk systems, improve patch timelines, and reduce attack surfaces. An important starting point is to generate comprehensive SBOMs that provide visibility into software components.

5. Assess Total Zero-Day Exposure

The Google report found that use-after-free errors, command injection, and cross-site scripting (XSS) were the most frequently exploited vulnerability types. Deploying secure coding practices is one way to address these issues and minimize the number of zero-day vulnerabilities in code.

In the case of memory safety vulnerabilities, understanding potential zero-day exposure through tools like RunSafe’s Risk Reduction Analysis gives organizations unprecedented visibility into their vulnerability landscape. By analyzing return-oriented programming (ROP) chains, the analysis quantifies memory-based zero days and how much organizations can reduce risk when implementing targeted protections where they matter most.

Zero Days in Embedded Systems: Quantifying & Mitigating Hidden Risks - Watch Now

 

Lessons Learned from Recent Zero-Day Incidents

The continued use of zero days by nation-state actors underscores the importance of adopting a proactive approach to security. Lessons include:

  • Memory safety matters: With many recent exploits stemming from memory flaws, securing codebases in languages like C/C++ is paramount. Runtime protections defend new and legacy code to prevent attackers from taking advantage of these flaws.
  • Supply chain hygiene is critical: Minimizing risk in software supply chains requires vetting third-party code carefully and implementing Software Bills of Materials (SBOMs) to identify and address potential weaknesses.
  • No one is immune: Enterprises, operational technology vendors, and critical service providers alike must address their unique attack surfaces to avoid becoming the next victim of a zero-day exploit.

Gaining the Upper Hand Against Zero-Day Attacks

Nation-state actors and sophisticated criminal groups continue to leverage zero-day vulnerabilities because they consistently deliver results. The Ivanti exploits and other critical vulnerabilities throughout 2024 reinforce the need for secure coding practices and security solutions that take away attackers’ ability to exploit software flaws.

Visibility is also an important way to level the playing field. We know that memory safety flaws remain a predominant source of zero-day exploits. Tools like RunSafe’s Risk Reduction Analysis give organizations the ability to quantify their exposure to CVEs and memory-based zero days.

By analyzing an SBOM or binary, the tool gives organizations visibility into weak spots in their software and the ability to apply remediations before attackers exploit them, transforming their security posture from reactive to proactive. When it comes to zero-day vulnerabilities, knowledge isn’t just power. It’s protection.

Run a Risk Reduction Analysis today

Ransomware in OT Environments: A 2025 Perspective

Ransomware in OT Environments: A 2025 Perspective

Operational technology (OT) ransomware attacks have escalated to crisis levels in 2025. A recent FBI report revealed a 9% increase in ransomware attacks targeting U.S. infrastructure in 2024, with more than 1,300 complaints linked to critical sectors like energy,...

read more